Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

BOSTON—Microsoft security researchers have used data collected from its MSRT (malicious software removal tool) to produce the clearest picture yet of the malware scourge on Windows -- and its not a pretty sight.

On the eve of the Tech 2006 conference here, the software maker offered a rare glimpse of the extent of infected Windows systems, warning that the threat from backdoor Trojans and bots present "a significant and tangible threat."

The report comes as Microsoft introduces Ben Fathi as its new security czar and ahead of a rebranding of Microsoft Client Protection, the companys enterprise anti-spyware software that is now called Forefront Client Security.

Since the first iteration of the MSRT in January 2005, Microsoft has removed 16 million instances of malicious software from 5.7 million unique Windows machines. On average, the tool removes at least one instance of a virus, Trojan, rootkit or worm from every 311 computers it runs on.

The most significant threat is clearly from backdoor Trojans, small programs that open a back door to allow a remote attacker to have unauthorized access to the compromised computer.

The MSRT has removed at least one Trojan from about 3.5 million unique computers. Of the 5.7 million infected Windows machines, about 62 percent was found with a Trojan or bot.

A bot is a type of Trojan that communications through IRC (Inter Relay Chat) networks. Bots are used to launch spam runs, launch extortion denial-of-service attacks and to distribute spyware programs to unwitting Windows users.

Matt Braverman, the Microsoft program manager who collated the data and prepared the report, said the startling prevalence of bots proves that the for-profit malware route is lucrative for online criminals.

Three of the top five most removed malware families are bots – Rbot, Sdbot and Gaobot. The FU rootkit, which is used primarily to hide bots, is number five on the list.

"The numbers speak for themselves," Braverman said in an interview with eWEEK. "In addition to the fact that bots are high on the list, were seeing a significant amount of new variants everyday. Were adding detections for about 2,000 new Rbot variants [to the [MSRT] with each release."

"Bots are not only active on computers. Its something that the attackers are modifying and turning around quickly. Theyre moving in, corralling a set of users, stealing information, then moving on to the next target," he explained.

In 20 percent of the cases when a rootkit was found and removed, Braverman said at least one backdoor Trojan was found. This is confirmation that rootkits are being used to hide other piece of malicious software from anti-virus scanners.

The most prevalent rootkit is the open-source FU rootkit, which is the fifth most removed piece of malware. The Sony rootkit is number 11 on the list while Ispro and Hacker Defender are also listed high.

Overall, a rootkit was found in approximately 780,000 computers but this number includes the Sony BMG rootkit, which was not considered an offensive/malicious rootkit.

Roger Thompson, chief technical officer at Atlanta-based Exploit Prevention Labs, believes Microsofts low rootkit detections is not an accurate reflection of the severity of the threat. "Theyre only finding what theyre looking for. The tool will not find the rootkits are we dont know about. We know they are out there and they are becoming harder and harder to find," Thompson said in an interview with eWEEK.

Microsofts Braverman acknowledged that there are "known rootkits that are not detected by the tool" but insists the five rootkit families detected by the MSRT represent "a significant portion of rootkits actively affected a large group of users today."

Braverman said the most effective technique against rootkits is prevention and urged Windows shops to keep anti-virus signatures up-to-date to get real-time protection. Even so, in some high-assurance corporate environments, Braverman suggested that users weigh the tradeoffs of taking additional steps to disinfect systems found with rootkits.

"We see that as a last resort but wiping and restoring the OS to its original state is one of a variety of steps we recommend. It should be part of a layered model of dealing with malware," he added.

The MSRT data also shows an alarming prevalence of malware linked to social engineering attacks. Worms that spread through e-mail, peer-to-peer networks and instant messaging clients account for 35 percent of computers disinfected.

"The attackers have become more sophisticated in terms of understanding what end users will click on or execute from an e-mail. They are exploiting a weakness in that situation," Braverman said.

E-mail is still the most successful vehicle for social engineering attacks but, according to the data, IM-borne attacks that try to trick users into clicking on a malicious link are less likely to succeed because of advancements in security technology built into IM clients.

It is against this backdrop that Fathi, Microsofts new security chief, takes over to guide the Redmond, Wash. technology giant through a crucial period in its history.

Fathi, who most recently served as general manager for Storage and High Availability in the Windows division, will use the TechEd conference to deliver a strategic briefing on building trust in computing.

He is expected to highlight Microsofts investment in security technologies --- in the enterprise and consumer markets -– and position the company as a leader in developing trust in an interconnected world.

Mike Nash, the long-serving corporate VP who has handed over the security portfolio to Fathi, said the priority for his replacement is a no-brainer.

"The first priority [for Fathi] is Vista. The second priority is Vista. The third is Vista," Nash said in an interview with eWEEK.

"We have to get Vista completed with quality and make sure we build a platform that supports the rest of the industry. One of Bens priorities is to make sure that were explaining to customers how to take advantage of some of the great technologies weve built," Nash added.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.